b'        Office of Inspector General\n        Audit Report\n\n\n\n\n   INFORMATION TECHNOLOGY\n\n\n Review of Off-Site Consequence\nAnalysis Information Management\n         Audit Report Number 2002-P-00006\n\n                 March 22, 2002\n\x0cInspector General Division                 Information Technology Audits Staff,\n Conducting the Audit                       Washington, DC\n\n\nRegion Covered                             Headquarters\n\n\nProgram Office Involved                    Chemical Emergency Preparedness and\n                                            Prevention Office\n\n\nAudit Team Members                         Edward Densmore\n                                           Kelli Cooper\n                                           Martin Bardak\n\n\n\n\nAbbreviations\n\n CEPPO            Chemical Emergency Preparedness and Prevention Office\n CSISSFRRA        Chemical Safety Information, Site Security and Fuels Regulatory Relief Act\n EPA              U. S. Environmental Protection Agency\n OCA              Off-Site Consequence Analysis\n OIG              Office of Inspector General\n RMP              Risk Management Plan\n SRMP             System for Risk Management Plans\n\x0cMEMORANDUM\n\n\nSUBJECT:      Final Report: Review of Off-Site Consequence\n               Analysis Information Management\n               Report No. 2002-P-00006\n\n\nFROM:         Edward Densmore, Project Manager\n               Information Technology Audits Staff (2421)\n\n\nTO:           Jim Makris, Director\n                Chemical Emergency Preparedness and Prevention Office (5104A)\n\n              Mark Day, Director\n               Office of Technology, Operations and Planning (2381)\n\n\n\nPurpose\nThe objective of this audit was to review the release of Off-Site Consequence Analysis (OCA)\ninformation that was not authorized for public disclosure on the Chemical Emergency\nPreparedness and Prevention Office (CEPPO) website and determine the adequacy of controls\nover the collection, maintenance, and dissemination of OCA data. OCA information is used to\nhelp prevent chemical accidents, and provide an estimate of the potential consequences to a\nsurrounding community of one or more hypothetical accidental chemical releases.\n\nBackground\nCEPPO provides leadership, advocacy, and assistance to: (1) prevent and prepare for chemical\nemergencies; (2) respond to environmental crises; and (3) inform the public about chemical\nhazards in their community. To protect human health and the environment, CEPPO develops,\nimplements, and coordinates regulatory and non-regulatory programs in partnership with all\nEnvironmental Protection Agency (EPA) regions, domestic and international organizations in the\npublic and private sectors, and the general public.\n\x0cIn 1990, the Clean Air Act (Public Law 101-549) was amended in response to public concerns\nabout what could be done to prevent chemical accidents from occurring in their communities.\nRegulations require industry to inform EPA and States on how they manage chemical risks and\nwhat they are doing to reduce risk to the community. Certain facilities are required to submit a\nRisk Management Plan (RMP) to EPA to document what they are doing to prevent accidents, and\nhow they plan to manage their chemicals and operate in a safe and responsible manner. RMPs\ninclude facility registration information, OCA data, a 5-year accident history, and information on\nprevention and emergency response programs.\n\nA contractor (hereafter referred to as the database contractor) receives the RMPs and compiles\nthe information in the System for Risk Management Plans (SRMP). SRMP is an Oracle database\ndeveloped by a second contractor (hereafter referred to as the program contractor), and the\ndatabase is used to consolidate the RMPs. SRMP is comprised of six subsystems, including\nRMP*Info TM, which contains summaries of facility RMPs in 50 separate downloadable State\ndatabase files. These database files were made available to the public on EPA\xe2\x80\x99s website.\n\nPublic Law 106-40, the Chemical Safety Information, Site Security and Fuels Regulatory Relief\nAct (CSISSFRRA), enacted on August 5, 1999, required that OCA information be made available\nto authorized officials for emergency planning and response purposes. It included a provision to\nexempt OCA information from public disclosure for one year from the Act\xe2\x80\x99s inception, or until\nregulations were promulgated. EPA and the Department of Justice issued a rule in August 2000,\nentitled Accidental Release Prevention Requirements; Risk Management Programs Under the\nClean Air Act Section 112(r)(7); Distribution of Off-Site Consequence Analysis Information,\nauthorizing some OCA data elements to be made public.\n\nIn April 2001, OCA information was made available in downloadable state database files from\nCEPPO\xe2\x80\x99s website for the first time. However, the April 2001 files made some unauthorized\nelements of OCA information available for download. A CEPPO official detected the error on\nJune 6, 2001, and took action to immediately have the information removed from the website. In\nJune 2001, the Director of CEPPO requested the Office of Inspector General to examine the\ncause of the incident, the actions taken, and systemic changes necessary to prevent this type of an\nevent from reoccurring.\n\nScope and Methodology\nThis audit examined the incident involving the unauthorized OCA data being made available for\ndownload on the CEPPO website. As part of our review, we examined CEPPO\xe2\x80\x99s oversight of the\ncontractors responsible for making programmatic changes to the RMP program and running the\nSRMP. We also reviewed EPA\xe2\x80\x99s procedures to make information available on the website.\nFinally, we examined the RMP*Info download logs from April 2001 through June 2001.\n\nWe conducted our audit fieldwork from July 2001 to December 2001 at EPA Headquarters in\nWashington, DC. We interviewed CEPPO and Office of Environmental Information officials\nwithin EPA, and contractor personnel responsible for programming and maintaining the SRMP.\n\n\n                                                 2\n\x0cOur review included identifying who downloaded information from the CEPPO website,\nreviewing statements of work for the contractors, and the change control process for making\nchanges to the SRMP. In addition, we reviewed and analyzed policies, standards, and procedures\nspecifically related to the audit objectives. There was no prior audit coverage relating to the\nCEPPO office or the SRMP. We conducted this audit in accordance with \xe2\x80\x9cGovernment Auditing\nStandards\xe2\x80\x9d, issued by the Comptroller General of the United States.\n\nResults of Review\nUnauthorized OCA information was inadvertently made available for download on the EPA\nwebsite from April to June 2001. As a result of this information being made available for\ndownload on EPA\xe2\x80\x99s website, unauthorized individuals had access to sensitive OCA data. This\noccurred due to a lack of management oversight over the software testing of program changes to\nthe SRMP. Specifically, CEPPO did not adequately oversee the database and program\ncontractors responsible for maintaining the SRMP system, and processing the RMPs submitted to\nEPA.\n\nUnauthorized Information Available on EPA\xe2\x80\x99s Website\n\nOCA information, not authorized for public disclosure on the Internet, was unintentionally made\navailable for downloading on EPA\xe2\x80\x99s website from April to June 2001. The Clean Air Act requires\nfacilities to submit RMPs to EPA if they have specific toxic and/or flammable chemicals greater\nthan the established thresholds. The RMP information is received by the database contractor,\nwho inputs the RMP information into SRMP. This contractor then provides the consolidated\ninformation to EPA, and the information is then made available for download from the website, as\nrequired by CSISSFRRA.\n\nThe August 1999 enactment of CSISSFRRA exempted OCA information from disclosure under\nthe Freedom of Information Act, and limited public availability for at least one year. OCA data\ncould be made available to Federal, State, and local officials, including members of Local\nEmergency Planning Committees, as well as qualified researchers. However, these individuals\nwere prohibited from releasing the OCA information to the public in the specific form of the\nRMP. In August 2000, EPA and the Department of Justice jointly issued a rule stating that\nportions of the OCA information (e.g., concentration of chemical released, duration of release,\nwind speed, etc.) should be included on the Internet as publicly accessible information.\n\nIn April 2001, the program contractor provided the database contractor an upgrade to include the\nOCA information in the downloadable files for the first time. The database contractor used the\nupgrade to create the April 2001 release of downloadable files. The database contractor\nprovided the files to EPA, and they were made available for download on the website. However,\nthis release included some unauthorized elements of OCA information. Specifically, Alternative\nRelease Scenario information, such as the radius of the vulnerable zone and the estimated\npopulation effected by the chemical release, were included. The subsequent releases in May and\nJune 2001 also included the unauthorized elements of OCA information.\n\n\n                                                3\n\x0cAs a result of this information being made available for download on EPA\xe2\x80\x99s website, unauthorized\nindividuals had access to sensitive OCA information. Specifically, OCA information provides a\ngeneral account of the consequences of a chemical release in terms of the damage that might be\ninflicted on a facility\xe2\x80\x99s surrounding community. This includes a rough sketch of what is involved\nin triggering a release from an RMP facility, including the name of the chemical involved, the\nprojected quantity of chemical released, and the duration of the release. In addition, a map or\ngraphic of the alternative release scenario, may be included. This information could be used by\nterrorist organizations to identify and prioritize target facilities that would have the greatest\ncatastrophic impact.\n\nImprovements Needed in Oversight of Software Testing\n\nCEPPO management did not ensure that adequate testing was performed for program changes to\nthe RMP database. The CEPPO project manager stated that prior to the incident, testing and\nquality assurance were performed by the database contractor for the input of data, not for the\noutput. CEPPO personnel, as well as the database contractor, did not pay close enough attention\nto the RMP downloads to determine whether the data was sensitive. They became too\ncomfortable with the work of the program contractor because of the high quality and reliability of\nprior software changes. Consequently, testing performed by the program contractor responsible\nfor making changes to the SRMP was not adequately reviewed by CEPPO to ensure the data\nfields reflected information authorized for release.\n\nWe found testing was performed using only six test RMPs that were internally generated by the\nprogram contractor for testing software changes. The SRMP, which is designed to maintain\nthousands of RMPs and allow for various queries of all compiled data, should have been tested\nwith a larger sample. Also, the contractor did not test for the differentiation of the fields for\npublic and non-public OCA data. CEPPO did not identify this as a potential deficiency with the\ntesting. The program contractor stated they did not test for these differentiations, nor focus close\nenough attention to the potential for unauthorized OCA data being disclosed.\n\nActions Taken By CEPPO\n\nOn June 6, 2001, a CEPPO official identified that unauthorized information was available for\ndownload from the EPA website, and immediately notified both the program and database\ncontractors. Within a few hours, the program contractor delivered to the database contractor two\nprograms. One program was to correct the problem; the second was to monitor and ensure\nunauthorized OCA data would not be viewable to the general public once the RMP databases\nwere again made available on EPA\xe2\x80\x99s website. Since the discovery of the unauthorized OCA\ninformation, CEPPO implemented new practices to ensure sensitive data will not be erroneously\nreleased. Specifically, CEPPO personnel now closely review the RMP database output to ensure\nonly authorized public information is released. In addition, CEPPO wrote programs that they run\nagainst the RMP downloads to ensure unauthorized OCA data is not included on EPA\xe2\x80\x99s website.\n\nActions Taken by Contractors\n\n\n\n                                                 4\n\x0cThe program contractor now requires peer reviews and more thorough levels of testing\nthroughout the project life cycle. The database contractor\xe2\x80\x99s procedures now include testing of\ninput, as well as ensuring unauthorized OCA data is not included in the releases provided to EPA.\nThe database contractor also runs a program that reviews the RMP databases to ensure only\ninformation that should be disclosed through EPA\xe2\x80\x99s website is accessible. Finally, the database\ncontractor manually reviews at least five records before the data is released to EPA.\n\nRecommendations\nWe recommend the Director of the Chemical Emergency Preparedness and Prevention Office:\n\n       1. Establish a policy requiring that the downloadable database files are reviewed to\n          ensure only authorized elements of OCA data are made available to the public.\n\n       2. Require current and future RMP database outputs be reviewed to ensure only\n          authorized public information is released.\n\n       3. Establish requirements for testing SRMP programing changes to:\n\n           a.   Include steps to ensure OCA information, not authorized for public disclosure on\n                the Internet, is not made available for download.\n\n           b.   Verify that adequate testing of changes for the SRMP database are performed\n                and documented.\n\nEPA Response\nThe March 19, 2002, response from the Office of Solid Waste and Emergency Response\n(OSWER) indicated that CEPPO agrees with the above-stated recommendations (see Attachment\n1). Specifically, CEPPO completed modifications to the SRMP, to ensure protection of OCA\ninformation. The software development contractor performed extensive testing on these\nmodifications, and the controls CEPPO instituted will remain a permanent part of the operating\nprocedures. The CEPPO project manager verifies that adequate testing of changes to the SRMP\ndatabase has been performed and documented. Finally, CEPPO will provide actual OCA data to\nthe development contractor for testing system modifications.\n\nThe Office of Technology Operations and Planning (OTOP) responded to the draft report on\nMarch 14, 2002, and had no comments (see Attachment 2).\n\n\n\n\n                                                5\n\x0cOIG Evaluation\n\n\n\n\n                 6\n\x0cIn our opinion, the actions taken by CEPPO will assist in safeguarding non-public OCA\ninformation from public disclosure. The modifications made to the SRMP eliminates the\n\xe2\x80\x98placeholders\xe2\x80\x99 for non-public OCA data in the files made available for download. However,\nCEPPO needs to ensure, when future modifications are made to the SRMP, only public OCA\ninformation is released. CEPPO should establish a policy requiring downloadable files to be\nreviewed to confirm only OCA information suitable for public disclosure is made available. In\naddition, while we agree with the actions taken by CEPPO project management to verify testing\nhas been performed and documented, requirements need to be established to ensure verification\nand documentation of testing will continue.\n\nAction Required\nThis audit report contains findings that describe problems the OIG has identified and corrective\nactions the OIG recommends. This audit report represents the opinion of the OIG and the\nfindings contained in this audit report do not necessarily represent the final EPA position. Final\ndeterminations on matters in this audit report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nIn accordance with EPA Order 2750, you, as the action official, are required to provide us with a\nwritten response to the audit report within 90 days of the final audit report date. For corrective\nactions planned but not completed by the response date, reference to specific milestone dates will\nassist us in deciding whether to close this report.\n\nWe appreciate your positive response to the recommendations presented in the report and the\nactions you and your staff have taken to ensure security over the release of OCA data. We have\nno objections to the further release of this report to the public. Should you or your staff have any\nquestions regarding this report, please contact Kelli Cooper, Auditor-In-Charge, at\n(202) 260-8981.\n\nAttachments\n\ncc:    Kathy Jones, Associate Director of Program Implementation and Coordination Staff\n       Peter Gattuso, Information Management Specialist\n       Dorothy McManus, Program Analyst\n\n\n\n\n                                                 7\n\x0c                                 Attachment 1\n\nOSWER Comments to Draft Report\n\n\n\n\n              8\n\x0c      Attachment 1\n\n-2-\n\n\n\n\n9\n\x0c                                Attachment 2\n\nOTOP Comments to Draft Report\n\n\n\n\n             10\n\x0c                                                                               Attachment 3\n\n                                  Report Distribution\n\n\n\nOffice of Inspector General\n\n       Inspector General (2410)\n\n\nHeadquarters Offices\n\n       Assistant Administrator, OSWER (5101)\n       Director, CEPPO (5104A)\n       Director, OTOP (2381)\n       Comptroller (2731A)\n       Agency Followup Official (2710A)\n       Audit Liaison, OSWER (5103)\n       Audit Liaison, OEI (2811R)\n       Agency Audit Followup Coordinator (2724A)\n       Associate Administrator for Congressional and Intergovernmental Relations (1301A)\n       Associate Administrator for Communications, Education, and Media Relations (1101A)\n\n\n\n\n                                            11\n\x0c'